Since January 2020, the world has changed dramatically with the emergence and subsequent spread of COVID-19.  In such a short space of time, this invisible enemy has forced more than 80% of the world’s population to work from home (WFH).  This is proving to be both a logistical and budgetary nightmare for IT departments and companies of all sizes. However, for cyber “villains,” it’s like Christmas every day.  Social engineering has become the number one attack vector across the current digital landscape. This attack vector allows for phishing attacks that can result in data harvesting, malware, and ransomware deployment, and it will ultimately lead to more concentrated and time-consuming spear phishing attacks. Spear phishing attacks are often high risk but when planned and executed correctly, combined with a hasty click of a mouse, they result in higher reward…Don’t be the next statistic. The F.B.I estimates that $26 Billion has been lost between 2016-2019 due to targeted spear phishing attacks (www.ic3.gov).

Thankfully, there’s a back-up team. IT departments and cyber security professionals worldwide manage their cyber security by securing endpoints, monitoring VPN and Patch management and cloud security, and implementing guidance and protocols for managing and securing sensitive company information outside the estate. However, they only offer training and suggested reading material for the greatest risk of all… the human.

Now, let’s take a quick pause.  In order to succeed with any of these attacks, the attacker needs that unwilling partner, aka an everyday person like you.  This is not new. This has always been the case, but now it is just on a much larger, more focused stage, a world stage, if you will.  They are all built around the attacker’s ability to “social engineer” his victim.  Unfortunately, COVID-19 just provided the attackers with a mouth-watering menu of options for their delivery system.  From content related to Stimulus checks, information about Medicare fraud, home test kits to COVID-19 related fake domains, and associated charity scams… Put simply, social engineering succeeds because it exploits human weaknesses that affect all of us: fear, kindness, curiosity, pressure, our willingness to please… Everyone should be aware of the warning signs. The attacks generally take the form of these four main approaches;

• Authority – we think the approach has been made from someone or something we believe we should trust, like a government office.
• Urgency – the approach is made with some level of time sensitivity attached to it- your CEO is asking for the link and password for the meeting they are late for.
• Emotion - the approach plays on current levels of fear, anxiety, hopefulness, curiosity or panic, like a cure being found for a virus
• Scarcity - the approach offers us something that is in short supply, a good deal and plays on our natural weakness of not wanting to miss out on something, like the last box of personal protective face masks (PPE) 

However, what is also clear is that these types of scenario will continue play out in a life after COVID-19, and it is this important takeaway that all senior executives responsible for cyber budgets and securing company assets and data should heed. Currently companies offer employee training and suggested reading materials to solve or reduce this risk factor.  Some even send fake malware to their employees in an email to test their ability to identify a phishing opportunity. These approaches offer some improvement to a company’s overall risk, however, eventually training wears off. We, the users, return to old habits. There needs to be a comprehensive strategy that guarantees success.

Now, add into the mix that the attackers have the ability to harvest additional personal information during this enforced and unwelcome WFH initiative through social media use and their digital footprint.  Everyone is signing up for new tools, solutions and memberships in search of achieving total digital utopia... and, to be honest, out of boredom! 

Everyone’s browsing activity has massively increased as they search for everything from statistics on the virus spread to where to find and purchase toilet rolls.   Alongside this increased activity is everyone’s increased use of social media to not only find information but to stay engaged with family and friends. 

It is within this world of social media that attackers thrive when harvesting intelligence to mount their spear phishing attacks.  In times of crisis, people share more especially when factoring in isolation, the need to receive more increases and the willingness to accept and engage more ramps up. All this activity provides additional attack vectors for the attackers to engage in specific spear phishing attacks against not only you, but loved ones and individuals within your company. It is also the main information piece that cybersecurity professionals have almost no control over and is the most difficult to manage and police.

What companies immediately need to focus on during this crisis and beyond is the ability to merge current cyber security capability with increased scrutiny and social media Risk Assessments for employees and overall Corporate Risk for companies.  These Risk “health checks” should be conducted regularly in order to continuously monitor and where necessary reduce the individual and corporate risk these exposure points create. Being proactive in this space and blending this form of risk assessment into current and future strategies allows for better preparedness in times ahead.  Unfortunately, we will ultimately experience another COVID-19 scenario... but even without that, companies should immediately shore up these critical weaknesses to reduce risk across their entire estate.